A job hazard analysis (JHA) — also called a job safety analysis (JSA) — is a structured way of examining a task, spotting the things that could hurt someone, and deciding what to do about them before the work starts. Done well, it's one of the highest-leverage documents in your safety system. Done badly, it's a form someone copy-pastes from last year and nobody reads.
This guide walks through a practical six-step method you can apply to any task today, plus the mistakes that get JHAs flagged in an audit.
What a job hazard analysis actually is
A JHA breaks a job down into its individual steps, identifies the hazards associated with each step, and specifies the controls that reduce the risk to an acceptable level. It answers three questions for every step of a task:
- What could go wrong here? (the hazard)
- How bad could it be, and how likely? (the risk)
- What are we doing about it? (the control)
It is not the same as a risk assessment of a whole area or process — a JHA is task-focused and granular. It's the level at which real injuries happen.
Step 1 — Choose and prioritise the job
You can't analyse every task at once, so start where the risk is highest. Prioritise jobs with:
- A history of incidents, near misses, or injuries
- The potential for severe harm even if incidents are rare (confined space, work at height, energised systems)
- New or recently changed processes, equipment, or materials
- Complex sequences where a missed step has consequences
Define the boundaries of the job clearly: where it starts, where it ends, and what's included. "Replace pump P-204" is analysable. "Maintenance" is not.
Step 2 — Break the job into steps
List the job as a sequence of steps in the order they're performed. Aim for the level where each step is a distinct action — typically 8–15 steps for most tasks. Too few and you'll hide hazards inside vague steps; too many and the analysis becomes unusable.
Describe what is done, not how. "Isolate the electrical supply" is a step. Watch the actual job being done, or walk it through with the people who do it — desk-written step lists miss the workarounds and shortcuts that cause real incidents.
Step 3 — Identify the hazards in each step
For every step, ask what could cause harm. Work through hazard categories so you don't rely on memory alone:
| Category | Examples |
|---|---|
| Mechanical | Moving parts, crushing, entanglement, stored energy |
| Gravity | Falls from height, falling objects, slips and trips |
| Electrical | Live conductors, arc flash, static |
| Chemical | Toxic, corrosive, flammable substances; exposure routes |
| Physical | Noise, vibration, heat, cold, radiation |
| Ergonomic | Manual handling, repetitive motion, awkward posture |
| Environmental | Confined space, poor visibility, weather, oxygen deficiency |
Be specific. "Chemical hazard" is weak. "Exposure to hydrogen sulphide when opening the tank hatch" tells you what control you need.
Step 4 — Assess the risk
For each hazard, estimate the risk so you can prioritise controls. The most common approach is a severity × likelihood matrix — typically 5×5 — giving a score you can rank and threshold.
| Severity 1 | Severity 3 | Severity 5 | |
|---|---|---|---|
| Likelihood 5 | 5 — Low | 15 — High | 25 — Extreme |
| Likelihood 3 | 3 — Low | 9 — Medium | 15 — High |
| Likelihood 1 | 1 — Low | 3 — Low | 5 — Low |
Score the risk twice: once before controls (inherent risk) and once after the controls you plan to apply (residual risk). The gap between them is the evidence that your controls actually do something — and it's exactly what an auditor looks for.
Step 5 — Assign controls using the hierarchy
Not all controls are equal. Apply the hierarchy of controls, working from most effective to least, and prefer higher-order controls wherever practicable:
- Elimination — remove the hazard entirely (do the job a different way)
- Substitution — replace it with something less hazardous
- Engineering controls — isolate people from the hazard (guarding, ventilation, interlocks)
- Administrative controls — procedures, permits, training, signage
- PPE — the last line of defence, not the first
A JHA that solves everything with "wear gloves and be careful" is a red flag. If every control sits at the bottom of the hierarchy, you haven't finished the analysis.
Step 6 — Review, communicate, and keep it live
A JHA is only useful if it reaches the people doing the work and stays current. Before the job:
- Have a competent person review and approve it
- Walk through it with the crew as part of the pre-task briefing
- Link it to the permit to work, if the task requires one
Then treat it as a living document. Review it when the task, equipment, or materials change, after any incident or near miss involving the task, and on a scheduled cycle (annually is common). A JHA filed and forgotten is worth nothing.
Common mistakes that get JHAs flagged
- Written without the workers. The people who do the job know the steps you'll miss.
- Steps too vague. "Set up equipment" hides five hazards.
- Controls all at the bottom of the hierarchy. PPE-only analyses rarely reduce real risk.
- No residual scoring. Without a before-and-after, you can't show the controls work.
- Never reviewed. A JHA dated three years ago, on a process that has since changed, is an audit finding waiting to happen.
A quick worked example
Task: Changing a grinding wheel on a bench grinder.
| Step | Hazard | Control |
|---|---|---|
| Isolate the grinder | Unexpected start-up | Lock-out/tag-out; verify zero energy (engineering + admin) |
| Remove the guard and old wheel | Cuts from wheel edge; residual rotation | Cut-resistant gloves; confirm wheel stationary (PPE + admin) |
| Fit the new wheel | Wheel burst from wrong size/damage | Ring-test wheel; match rated speed to grinder (elimination of defective wheel) |
| Refit guard and test-run | Fragments if wheel fails on start | Run for one minute standing to the side, guard closed (engineering + admin) |
Write JHAs that cite your own procedures
ENSURE's JHA module suggests hazards and controls grounded in the SOPs your organisation has already uploaded — with pre- and post-control scoring and a link straight to Permit to Work. See it run on your own task in a 30-minute demo.